Crisis Prevention and Preparedness

Originally published: 19 July 2021

By Mads Pærregaard, CEO of Human Risks. Created for the ASIS Community.

Option and Choices for Avoiding and Averting Crisis

“Spending 2% of the damage could have prevented COVID-19.”

In modern healthcare, it is a common assumption that prevention is better than cure. This too could be said when it comes to ensuring an organization’s resilience. In a recent Lab News article, Dr Nigel Whittle claims that the world could have prevented Covid-19 by spending just 2% of the financial damage caused by the global pandemic.

In principle, investing a small percentage of the overall damage to prevent another global pandemic sounds like a no-brainer. How though do you actually plan for, and prevent the next crisis when it is so difficult to accurately predict the future? There are considerable influencing factors that feed into an array of potential outcomes. I.e., what could happen; when and how it will happen; how to best prevent, or manage the crisis should it occur?

In order to secure a strong and sustainable foundation to build from, this article focuses on the planning phase. We will look at two different intertwined, yet also interdependent approaches to crisis prevention – the Scenario and the Impact-based Approach.

Definitions and Choices: The Scenario, or the Impact-based Approach?

When preparing an organization for the worst, ensuring a relatively swift operational return to ‘situation as usual’ is the standard end goal. There are, however, two different routes that Security Managers can take to successfully tackle the challenge of a crisis.

One approach, the Scenario, would be to identify and plan for a multitude of different risks that could affect your business at times of crisis. These risks may include violent crime, arson and civil, or political unrest.

An alternative way to tackle a crisis would be to identify your organization´s critical key resources. These are the resources you must deploy to ensure that products and services (along the supply chain) are delivered as the market expects. A crucial part of this type of preparedness planning is to evaluate and analyze what would happen if these critical key resources became unavailable – this is the Impact-based Approach.

Both approaches have pros and cons. Below we discuss and compare each option in more detail:

The Scenario-based Approach

The human brain is notoriously bad at assessing the likelihood of an outcome. As Psychologist, Economist and Nobel Prize Laureate, Daniel Kahnemann’s theory explains, “The suboptimal decisions that may result from heuristic decision-making processes are known as ‘cognitive biases”.

Cognitive Biases are when our brain is predisposed to, and influenced by our previous experiences, beliefs and values. This unavoidable human mindset can interfere with the process of accurate likelihood assessment. Therefore, when we analyze security risks in various given scenarios, there are always details that can be adversely assessed due to human influence. This results in an increased risk of inaccurately predicted outcomes.

The risk of adverse human influence in response to key details can also cause the incorrect identification of future scenarios (risks), and the inaccurate assessment of threat situations.

The effects of human error can cause an increase in organizational resource being spent unnecessarily on preparing for events that will never happen. A further leak in an organization’s resource pool can arise from business growth goals and opportunities being missed due to resources being dispatched elsewhere, or halting or reducing specific operations due to impending uncertainties of a scenario that will never be realized.

The concept of having plans in place for a multitude of different scenarios represents a string of issues in itself. One is the question of applying available resources in an optimal way, as mentioned previously. Another is the limited bandwidth afforded to Security Risk Managers in most organizations. Competition for Senior Management engagement can be drowned out by the chorus of other disciplines also vying for attention, such as HR, IT, Health & Safety, etc.

Another challenge is to generate and sustain employee attention. This can detrimentally affect the buy-in from wider departments needed to secure optimal systematic security performance. There can, as a result, be a costly time delay for detailed plans to be signed off and for role-play exercises and training sessions to be implemented.

Many Security Managers with backgrounds in the Armed Forces (myself included) have been brought up in a system where the mantra sounds a lot like, “it’s better to have a plan” or “it’s better to have a need not, than to need a have not.” This approach is well and good if you have time to implement, train and adapt in an organization that is focused on preparing for the worst. However, in a thriving business focused on delivering products and services to customers, the idea of spending time on learning new crisis plans – and training for them – comes second (if not third, or fourth, or…).

Section Summary:

  • Human beings are poor at assessing likelihoods (and cannot predict the future)

  • Spending unnecessary resource on planning for the unknown

  • Failure to support business objectives

  • Lack of required attention, time and resources to actually implement, train and exercise the plans. Therefore, failing to put plans to use when a crisis happens

The Impact-Based Approach

The Impact-based Approach commences from a different starting point to that of the Scenario by following the principles of the known frameworks for Business Continuity.

Upon reviewing the free templates on our website, you will be guided through the identification of key processes and the essential resources required for an organization to maintain product and service delivery during a crisis.

A relatively simple approach might look like this:

  1. First define the timeline, (e.g., 1 hour, 1 day, 3 days, 1 week, 2 weeks, etc.)

  2. Secondly, ascertain stakeholder impact on key influencers such as customers, reputation, regulatory, governance and financial sectors on a scale from 1-3 (low – medium – high)

  3. Lastly, analyze the impact on the identified stakeholder when the unavailability of key suppliers, buildings, IT systems, people and/or equipment (depending on your organization and your area of responsibilities) becomes critical to the organization. This will help you to clearly visualize your organization’s tipping point

By following the above process, you will generate a prioritized list of the company’s most critical resources. This will enable you to understand what you need to make alternative plans for. For example, if a certain building is critical to your organization, then the above-mentioned approach will also tell you how much time you have to find an alternative solution. This will help you to prioritize the different options – do we need a hotel floor on standby at all times, or do we have enough time to relocate to another secure site associated with our company?

During this initial step, you might not know what caused the unavailability of an office building, or a critical supplier of IT infrastructure. However, you are able to prepare plans to replace the most critical and essential resources swiftly to ensure business operations can still deliver to market as expected.

The next step could then be to start identifying what scenarios (risks) may cause the unavailability of critical resources – such as arson, demonstrations, or terrorism – which will, in turn, support the initial Business Continuity plan and help to secure relevant preventive measures.

The Impact-based Approach has many advantages in generating resilience by ensuring a focus to support overall business objectives and efficient, effective resource spending. It is worth noting that you will have to collect information from across the organization to ensure quality in the assessment of resources most critical to your business.

Conclusion

Even though the two approaches we have discussed may seem very different, they still overlap and should work together. However, the Impact-based approach is valuable in ensuring that plans are streamlined to secure the most relevant parts of an organization during a crisis. The Scenario approach can be useful for training employees in protocol for known common threat situations such as terrorist attacks, hostage-taking, burglary, bank robbery, and other similar events.

Both approaches can support Enterprise Security Risk Management (ESRM) implementation by taking a holistic view of security risk, in alignment with organizational business goals and objectives. For more on ESRM, review this article.

Further Considerations:

What could influence your choice of approach?

  • Available resources

  • The attention you can get from the organization (employees and management)

  • Industry-specific risks (either by regulation or because they are so obvious due to the operational environment that they must be addressed)

  • Organizational culture (do we like plans, is there support for crisis preparation, or do we cross that bridge when we get to it?)

For thoughts and comments, or to discuss how Human Risks can enable your business to be well prepared for a crisis, contact us.

Read more?

We can help you today

If you want to see what the Human Risks platform can do, for your company.  Contact us today

Contact